SlideShare una empresa de Scribd logo

44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus

44CON
44CON

44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus This 2 hour workshop will introduce you to Industrial Ethernet Switches and their vulnerabilities. These are switches used in industrial environments, like substations, factories, refineries, ports, or other other homes of industrial automation equipment. In other words, scada and ICS switches. You will gain familiarity with the basic usage of these switches, and do some very light traffic analysis and firmware reverse engineering. Not only will vulnerabilities be disclosed for the first time (exclusively at 44CON), but the methods of finding those vulnerabilities will be shared. If you have never done any reverse engineering or firmware analysis, this might be a good place to start. You will need to be familiar with a linux commandline, and the usage of tools such as BURP and wireshark. If you are an IDA Pro wizard we welcome your attendance, but we won’t be teaching you anything new. However, we will examine firmware and device embedded webservers with tools such binwalk, strings, grep, xxd, python, scapy, and compression utilities. All vulnerabilities taught/disclosed will be in the default configuration state of the devices. While these vulnerabilities have been responsibly disclosed to the vendors, SCADA/ICS patching in live environments tends to take 1-3 years. So this work will be fresh and useful for your penetration tests in the future. You might even find new vulnerabilities with the chance to play with these devices (which are being brought to 44CON for this workshop)!

Tecnología
1 de 38
Descargar para leer sin conexión
Switches Get Stitches Eireann Leverett @blackswanburst & Colin Cassidy @partimesecguy & Matt Erasmus @undeadsecurity Sep 11 02014
Outline of Workshop General Introduction The Switches Required tools and les Siemens Scalance Family Vulnerabilities GE Multilink Family Vulnerabilities Conclusion
Introduction This is workshop on attacking industrial ethernet switches. We will be focussing primarily on management plane attacks, with a goal to taking over management for the device. We will not be playing around with routing attacks although we will discuss them. This workshop is for you if: I You work at a utility, and you deploy, provision, decommision, or test switches. I You are comfortable at a linux commandline, and can hack web apps, but want to get into embedded. I You are a developer of embedded rmware and want to learn more about systems security. I You are an ohdae enthusiast who likes to watch the chaos. I You can help us get My Little Pony running on a Leapfrog. We love your work!
ICS 101 What's the point? In Industrial Control Systems we're focussed on protecting the control path not the data. The process is what needs to be protected, not accounts, not data condentiality. So the primary concern you have is integrity of process data. All other vulnerabilities, must eventually lead to this, or are not relevant SCADA/ICS.
How does access to the switches work? We only have 2 switches and they have a limited number of ports. We have also had bad experiences in the past with large numbers of people pounding on them, they get bricked. So instead of making them available to everyone in this room at the same time today, we're leaving them up front on the table for you to visit. Please visit in pairs, to perform the kind of attacks you're interested in. Working in pairs often allows the second person to verify the attack succeeds, and cuts down on the load. We have provided you with pcaps and scripts that mean much of your analysis can be done on your own machine. So try to keep to 5-10 minutes on the device, or ask us to demonstrate the attacks on the big screen. You should only need to visit the switches to verify the things you have learned.
Underpants Gnomes == SCADA or ICS presentations My esteemed colleague Jason Larsen has a simple challenge for the mind: You have complete control over the process in a paint factory, now what do you do to attack the process? Or to put it dierently, most SCADA or ICS presentations go: 1. Steal underpants! (Pwn PLC/RTU/HMI) 2. ???? 3. Prot! Discuss.
Protocols 1: You have no integrity There's precious little authentication in many SCADA protocols. There's even less cryptographic integrity. This is often because of real time and safety constraints. However, this also makes it our biggest path to abuse. It is because these protocols use so little crypto, that attacking the switches is such an eective means to compromise. Once compromised, you can recongure them to exltrate data, or create malicious rmwares to MITM the process. Why would we want to create malicious rmwares instead of route the data out and back again? Discuss.
Protocols 2 I GOOSE I modbus I TASE.2 I 101/104 I DNP3 I mrph I ICCP I iec-104 I pronet/probus I canbus I C12.22
Introducing... The Switches we will busticate I Siemens Scalance X200 Version 4.3 I GE Multilin ML800 Version 4.2 However, these vulns work on other members of this switch family. More importantly the techniques we use will be relevant for any work you do. We will gently take you from web app style vulnerabilities, into light rmware reversing and binary analysis. So if you're here to learn and practice, great. If you're a dapper reverse engineer, this might bore you a little, but you can stay to watch me drop ohdae...
Tools 1. Linux commandline (XXD, tcptrace, strings, etc) 2. SNMP walk or other snmp interrogation tool 3. Wireshark/tshark 4. XXD or IDAPro or your hex-editor of choice (view only) 5. Python
Files 1. Siemens Python le (github) 2. Siemens Brute Forcer + pcap le 3. Siemens Session IDs File 4. zlibnder python 5. GE Pcap 6. GE DOS Python
IP Addresses and Credentials 1. GE ML800 is at 192.168.0.12 (HTTPS, Telnet, SNMP, Modbus) 2. Siemens Scalance X200 is at 192.168.0.13 (HTTP,Telnet, SSH, SNMP) 3. GE ML800 Credentials: manager/manager operator/operator 4. Siemens X200 Credentials: admin/admin user/user
Siemens X200 Authentication 1 Firstly open up the pcap le, and see the ow back and forth. Now, to see if we can recover the passwords! We need to know 3 things: 1. Hash Function Used 2. Salt or Nonce? Yes, no, format of either? 3. Precise string format before hashing Q: So how can we learn this information?
Siemens X200 Authentication 2 From the webpage (if it is clientside)! Run tcptrace on the pcap, and nd the login page. Search the page and nd the hashing function. Q: What is the format of the string before hashing? First to answer gets a sticker...
Siemens X200 Authentication 2 A: user:admin:nonce Useful command echo -n admin:password:C0A800020002F72C | md5sum The nonce is given to us in the previous HTTP response or previous HTTP request. The nonce is interesting and useful cryptographically in that it prevents crypto replay attacks. However, it also xes a string in our brute force (sux), as does the user name (prex). This means we can brute force these hashes very easily. If you want to take a few minutes to write an MD5 cracker for this switch, we'll give an example on the next slide.
Siemens Nonces/Session Analysis Open up BURP and prepare to analyse the nonce/session IDs. If you can't use Burp, then you just use WGET to fetch any webpage a few times in rapid succession. Alternatively, examine the Sessions.txt le provided. Q: See any patterns? Discuss.
Siemens Nonces/Session Analysis Answer Switch.....please! I C0A8006500000960 I C0A8006500001A21 I C0A80065000049A6 I C0A8006500005F31 I C0A800610007323F Q: See any patterns? Discuss.
Siemens Nonces/Session Analysis Answer Switch.....please! I C0A8006500000960 I C0A8006500001A21 I C0A80065000049A6 I C0A8006500005F31 I C0A800610007323F Q: See any patterns? Discuss.
Siemens Nonces/Session Analysis Answer Switch.....please! I C0A80065 ) 192.168.0.97 (this is the CLIENTSIDE address) I 0007323F ) 471615 in base 10 (Uptime + 1 of course)! I snmpwalk -Os -c public -v 1 192.168.0.5 I iso.3.6.1.2.1.1.1.0 = STRING: Siemens, SIMATIC NET, SCALANCE X204-2, I 6GK5 204-2BB10-2AA3, HW: 4, FW: V4.03 I iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.4196.1.1.5.2.22 I iso.3.6.1.2.1.1.3.0 = Timeticks: (471614) 1:18:36.14
Siemens Scalance Authentication Bypass A simple unauthenticated HTTP request will allow you to: Download I Log File I Conguration (including password hashes) I Firmware Upload I Conguration (including password hashes) I Firmware
Auth Bypass Demo Be VERY thoughtful before using this tool to bypass authentication and change conguration. Changing IP address or DHCP can screw you up. DON'T FRAG the switch for the next student! Changing authentication can be a pain. You need a previously KNOWN cong! I have provided one for your verication needs... admin/admin users/user
Siemens Switch Conclusion These vulns are patched, but maybe you can nd new ones. Also, even though a patch exists, patch times in ICS/SCADA are regularly 12-18 months after the patch is released. You should be able to use these tools for quite a while! In fact as of today...there still a few on Shodan.io using the old rmware...
This vulnerability reported to GE on May 17 02014 : 148 days ago nearly 5 months ago! They do not have a x yet, I'll let you be the judges.
GE ML800 Key We have captured network trac from the wire interacting with the GE ML800 web admin interface. Within this session we have performed a switch rmware upgrade. This session is in HTTPS, but the rmware upgrade happens over FTP, so we are able to see the rmware le in clear text. We use tcptrace to carve out the les (All hail Ostermann!): tcptrace -n -e rmware-upgrade.pcapng
GE ML800 Key We note that right away, one stream stands out: tcptrace stream 33: 192.168.0.97:20 - 192.168.0.12:1025 (bm2bn) 1356 971 (complete) Primarily because it is a larger stream, but also those ports are interesting, and nally we can see it is a complete stream.
GE ML800 Key The le command doesn't help us much: le results I le bm2bn_contents.dat I bm2bn_contents.dat: data
GE ML800 Key We run strings on this structure, and we nd a lot of random rubbish, but a few pages down we get some clues. Strings output I deate 1.1.3 Copyright 1995-1998 Jean-loup Gailly I inate 1.1.3 Copyright 1995-1998 Mark Adler So it's compressed!
GE ML800 Key Attempting to deate the whole thing fails abyssmally. So we resort to searching for zlib streams in the le with a little help from python. Basically, we iterate over every byte to see if we can nd sections of the le that do not produce zlib errors. When we nd some sections of the le that are legitimate zlib streams. Output of ZLIB-Finder.py I Please enter the lename you wish to analyse: bm2bn_contents.dat I (41576, 4098384) I (1931471, 0)
GE ML800 Key Well, let's carve out that compressed section shall we? Output of dd I dd if=bm2bn_contents.dat of=compressed.bin skip=41576 bs=1 count=4098384 I 1889896+0 records in I 1889896+0 records out I 1889896 bytes (1.9 MB) copied, 2.62979 s, 719 kB/s
GE ML800 Key Now we need to concatenate the magic string to make gzip think it's a valid le and decompress it: magic byte foo printf x1fx8bx08x00x00x00x00x00 | cat - compressed.bin | gzip -dc decomp.bin Which does give us some errors which suggest we might have the length of our dd command wrong. However, we still get some sensible material out of the decompression. To see that, load it up in IDA, or just use strings or xxd.
GE ML800 Key For example, I love just running this on all kinds of embedded rmwares: Command xxd decomp.bin | grep -A 20 '42 4547 494e 2052 5341 2050 5249 5641' | less Which gives you nice little details such as: RESULT! 0036750: 2d42 4547 494e 2052 5341 2050 5249 5641 -BEGIN RSA PRIVA Copy and paste this key into a le.
GE ML800 Key Now if we load it into wireshark using port 443 IP 192.168.0.12 and protocol http, we can even use it to see the session which preceded the rmware upload. This means we can conrm the key decrypts SSL trac and we can even see the user name and password for the device in packet 639.
But wait! There's more! The OEM for this switch is Garretcom (now owned by Belden). So does this default key aect them? Let's wait and see...
I waited nearly 5 months for GE/Garretcom to conrm a patch for this default key. Personaly, I think it would have been more responsible for them to anounce the key compromise immediately and work towards the patch after informing their customers. My recommendations at this time are to update the SSL key over a serial or other point to point connection where you can visually conrm no MITM. After that, change the passwords on the device, since they are not hashed, and thus can be returned to cleartext from the SSL/TLS ciphertext.
Where can we go with these attacks, and what about the underpants gnome? Towards control of the process I Start examining if binary patching of the rmware can be achieved? I Is there rmware codesigning? I Can it be bypassed? I Altering the switch conguration to exltrate process data. I DoS attacks, to disrupt the process. I Basically any MITM attack at this point can disrupt, alter, or drop process trac.1 1With the exception of real time system constraints
Conclusion Today we learned I Session ID Analysis I Brute forcing MD5+NONCE I Binary Analysis I Decompressions I Key Extraction I SSL decryption I How to drop ohdae
Outro Thanks to some peeps for random things... I Reid Nice guy Wightman I Yvan I know. Jannsens I Jason Water Hammer Larsen eireann.leverett@ioactive.com GPG: 9E1D 1459 CB1C DC9F 5638 786C 6EAB 21C0 38D1 57B8 Matt@zonbi.org GPG: 3153 47EE C078 C484 C2BC 814D E5B3 52A8 4493 4B37 colin.cassidy@ioactive.com GPG: 5B1C A26A 8B8E DF82 C338 B1B1 8BD3 0446 451C 872B

Recomendados

Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometPich Pra Tna
 
Joe armstrong erlanga_languageforprogrammingreliablesystems
Joe armstrong erlanga_languageforprogrammingreliablesystemsJoe armstrong erlanga_languageforprogrammingreliablesystems
Joe armstrong erlanga_languageforprogrammingreliablesystemsSentifi
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 
Creating a Playbook to Exploit the Long Tail of IoT
Creating a Playbook to Exploit the Long Tail of IoTCreating a Playbook to Exploit the Long Tail of IoT
Creating a Playbook to Exploit the Long Tail of IoTAricent
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 

Recomendados

Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometPich Pra Tna
 
Joe armstrong erlanga_languageforprogrammingreliablesystems
Joe armstrong erlanga_languageforprogrammingreliablesystemsJoe armstrong erlanga_languageforprogrammingreliablesystems
Joe armstrong erlanga_languageforprogrammingreliablesystemsSentifi
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 
Creating a Playbook to Exploit the Long Tail of IoT
Creating a Playbook to Exploit the Long Tail of IoTCreating a Playbook to Exploit the Long Tail of IoT
Creating a Playbook to Exploit the Long Tail of IoTAricent
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
 
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdfshehbaz15
 

Más contenido relacionado

Destacado

44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
 
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 

Destacado (20)

44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 

Similar a 44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus

Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdfshehbaz15
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Final ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docxFinal ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docxAKHIL969626
 
An introduction to erlang
An introduction to erlangAn introduction to erlang
An introduction to erlangMirko Bonadei
 
Shift-left SRE: Self-healing on OpenShift with Ansible
Shift-left SRE: Self-healing on OpenShift with AnsibleShift-left SRE: Self-healing on OpenShift with Ansible
Shift-left SRE: Self-healing on OpenShift with AnsibleJürgen Etzlstorfer
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Nagios Conference 2014 - Gerald Combs - A Trillion Truths
Nagios Conference 2014 - Gerald Combs - A Trillion TruthsNagios Conference 2014 - Gerald Combs - A Trillion Truths
Nagios Conference 2014 - Gerald Combs - A Trillion TruthsNagios
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Cfgmgmt Challenges aren't technical anymore
Cfgmgmt Challenges aren't technical anymoreCfgmgmt Challenges aren't technical anymore
Cfgmgmt Challenges aren't technical anymoreJulien Pivotto
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerForAllSecure
 
When Web Services Go Bad
When Web Services Go BadWhen Web Services Go Bad
When Web Services Go BadSteve Loughran
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 
Interview questions
Interview questionsInterview questions
Interview questionsxavier john
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docxstirlingvwriters
 
How to make fewer errors at the stage of code writing. Part N1.
How to make fewer errors at the stage of code writing. Part N1.How to make fewer errors at the stage of code writing. Part N1.
How to make fewer errors at the stage of code writing. Part N1.PVS-Studio
 
How to make fewer errors at the stage of code writing. Part N1
How to make fewer errors at the stage of code writing. Part N1How to make fewer errors at the stage of code writing. Part N1
How to make fewer errors at the stage of code writing. Part N1Andrey Karpov
 

Similar a 44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus (20)

Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIP
 
bettercap.pdf
bettercap.pdfbettercap.pdf
bettercap.pdf
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Final ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docxFinal ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docx
 
An introduction to erlang
An introduction to erlangAn introduction to erlang
An introduction to erlang
 
Shift-left SRE: Self-healing on OpenShift with Ansible
Shift-left SRE: Self-healing on OpenShift with AnsibleShift-left SRE: Self-healing on OpenShift with Ansible
Shift-left SRE: Self-healing on OpenShift with Ansible
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Nagios Conference 2014 - Gerald Combs - A Trillion Truths
Nagios Conference 2014 - Gerald Combs - A Trillion TruthsNagios Conference 2014 - Gerald Combs - A Trillion Truths
Nagios Conference 2014 - Gerald Combs - A Trillion Truths
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Cfgmgmt Challenges aren't technical anymore
Cfgmgmt Challenges aren't technical anymoreCfgmgmt Challenges aren't technical anymore
Cfgmgmt Challenges aren't technical anymore
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a Hacker
 
When Web Services Go Bad
When Web Services Go BadWhen Web Services Go Bad
When Web Services Go Bad
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
 
Interview questions
Interview questionsInterview questions
Interview questions
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
 
How to make fewer errors at the stage of code writing. Part N1.
How to make fewer errors at the stage of code writing. Part N1.How to make fewer errors at the stage of code writing. Part N1.
How to make fewer errors at the stage of code writing. Part N1.
 
How to make fewer errors at the stage of code writing. Part N1
How to make fewer errors at the stage of code writing. Part N1How to make fewer errors at the stage of code writing. Part N1
How to make fewer errors at the stage of code writing. Part N1
 

Más de 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON
 

Más de 44CON (17)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 

Último

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Último (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus

  • 1. Switches Get Stitches Eireann Leverett @blackswanburst & Colin Cassidy @partimesecguy & Matt Erasmus @undeadsecurity Sep 11 02014
  • 2. Outline of Workshop General Introduction The Switches Required tools and les Siemens Scalance Family Vulnerabilities GE Multilink Family Vulnerabilities Conclusion
  • 3. Introduction This is workshop on attacking industrial ethernet switches. We will be focussing primarily on management plane attacks, with a goal to taking over management for the device. We will not be playing around with routing attacks although we will discuss them. This workshop is for you if: I You work at a utility, and you deploy, provision, decommision, or test switches. I You are comfortable at a linux commandline, and can hack web apps, but want to get into embedded. I You are a developer of embedded rmware and want to learn more about systems security. I You are an ohdae enthusiast who likes to watch the chaos. I You can help us get My Little Pony running on a Leapfrog. We love your work!
  • 4. ICS 101 What's the point? In Industrial Control Systems we're focussed on protecting the control path not the data. The process is what needs to be protected, not accounts, not data condentiality. So the primary concern you have is integrity of process data. All other vulnerabilities, must eventually lead to this, or are not relevant SCADA/ICS.
  • 5. How does access to the switches work? We only have 2 switches and they have a limited number of ports. We have also had bad experiences in the past with large numbers of people pounding on them, they get bricked. So instead of making them available to everyone in this room at the same time today, we're leaving them up front on the table for you to visit. Please visit in pairs, to perform the kind of attacks you're interested in. Working in pairs often allows the second person to verify the attack succeeds, and cuts down on the load. We have provided you with pcaps and scripts that mean much of your analysis can be done on your own machine. So try to keep to 5-10 minutes on the device, or ask us to demonstrate the attacks on the big screen. You should only need to visit the switches to verify the things you have learned.
  • 6. Underpants Gnomes == SCADA or ICS presentations My esteemed colleague Jason Larsen has a simple challenge for the mind: You have complete control over the process in a paint factory, now what do you do to attack the process? Or to put it dierently, most SCADA or ICS presentations go: 1. Steal underpants! (Pwn PLC/RTU/HMI) 2. ???? 3. Prot! Discuss.
  • 7. Protocols 1: You have no integrity There's precious little authentication in many SCADA protocols. There's even less cryptographic integrity. This is often because of real time and safety constraints. However, this also makes it our biggest path to abuse. It is because these protocols use so little crypto, that attacking the switches is such an eective means to compromise. Once compromised, you can recongure them to exltrate data, or create malicious rmwares to MITM the process. Why would we want to create malicious rmwares instead of route the data out and back again? Discuss.
  • 8. Protocols 2 I GOOSE I modbus I TASE.2 I 101/104 I DNP3 I mrph I ICCP I iec-104 I pronet/probus I canbus I C12.22
  • 9. Introducing... The Switches we will busticate I Siemens Scalance X200 Version 4.3 I GE Multilin ML800 Version 4.2 However, these vulns work on other members of this switch family. More importantly the techniques we use will be relevant for any work you do. We will gently take you from web app style vulnerabilities, into light rmware reversing and binary analysis. So if you're here to learn and practice, great. If you're a dapper reverse engineer, this might bore you a little, but you can stay to watch me drop ohdae...
  • 10. Tools 1. Linux commandline (XXD, tcptrace, strings, etc) 2. SNMP walk or other snmp interrogation tool 3. Wireshark/tshark 4. XXD or IDAPro or your hex-editor of choice (view only) 5. Python
  • 11. Files 1. Siemens Python le (github) 2. Siemens Brute Forcer + pcap le 3. Siemens Session IDs File 4. zlibnder python 5. GE Pcap 6. GE DOS Python
  • 12. IP Addresses and Credentials 1. GE ML800 is at 192.168.0.12 (HTTPS, Telnet, SNMP, Modbus) 2. Siemens Scalance X200 is at 192.168.0.13 (HTTP,Telnet, SSH, SNMP) 3. GE ML800 Credentials: manager/manager operator/operator 4. Siemens X200 Credentials: admin/admin user/user
  • 13. Siemens X200 Authentication 1 Firstly open up the pcap le, and see the ow back and forth. Now, to see if we can recover the passwords! We need to know 3 things: 1. Hash Function Used 2. Salt or Nonce? Yes, no, format of either? 3. Precise string format before hashing Q: So how can we learn this information?
  • 14. Siemens X200 Authentication 2 From the webpage (if it is clientside)! Run tcptrace on the pcap, and nd the login page. Search the page and nd the hashing function. Q: What is the format of the string before hashing? First to answer gets a sticker...
  • 15. Siemens X200 Authentication 2 A: user:admin:nonce Useful command echo -n admin:password:C0A800020002F72C | md5sum The nonce is given to us in the previous HTTP response or previous HTTP request. The nonce is interesting and useful cryptographically in that it prevents crypto replay attacks. However, it also xes a string in our brute force (sux), as does the user name (prex). This means we can brute force these hashes very easily. If you want to take a few minutes to write an MD5 cracker for this switch, we'll give an example on the next slide.
  • 16.
  • 17. Siemens Nonces/Session Analysis Open up BURP and prepare to analyse the nonce/session IDs. If you can't use Burp, then you just use WGET to fetch any webpage a few times in rapid succession. Alternatively, examine the Sessions.txt le provided. Q: See any patterns? Discuss.
  • 18. Siemens Nonces/Session Analysis Answer Switch.....please! I C0A8006500000960 I C0A8006500001A21 I C0A80065000049A6 I C0A8006500005F31 I C0A800610007323F Q: See any patterns? Discuss.
  • 19. Siemens Nonces/Session Analysis Answer Switch.....please! I C0A8006500000960 I C0A8006500001A21 I C0A80065000049A6 I C0A8006500005F31 I C0A800610007323F Q: See any patterns? Discuss.
  • 20. Siemens Nonces/Session Analysis Answer Switch.....please! I C0A80065 ) 192.168.0.97 (this is the CLIENTSIDE address) I 0007323F ) 471615 in base 10 (Uptime + 1 of course)! I snmpwalk -Os -c public -v 1 192.168.0.5 I iso.3.6.1.2.1.1.1.0 = STRING: Siemens, SIMATIC NET, SCALANCE X204-2, I 6GK5 204-2BB10-2AA3, HW: 4, FW: V4.03 I iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.4196.1.1.5.2.22 I iso.3.6.1.2.1.1.3.0 = Timeticks: (471614) 1:18:36.14
  • 21. Siemens Scalance Authentication Bypass A simple unauthenticated HTTP request will allow you to: Download I Log File I Conguration (including password hashes) I Firmware Upload I Conguration (including password hashes) I Firmware
  • 22. Auth Bypass Demo Be VERY thoughtful before using this tool to bypass authentication and change conguration. Changing IP address or DHCP can screw you up. DON'T FRAG the switch for the next student! Changing authentication can be a pain. You need a previously KNOWN cong! I have provided one for your verication needs... admin/admin users/user
  • 23. Siemens Switch Conclusion These vulns are patched, but maybe you can nd new ones. Also, even though a patch exists, patch times in ICS/SCADA are regularly 12-18 months after the patch is released. You should be able to use these tools for quite a while! In fact as of today...there still a few on Shodan.io using the old rmware...
  • 24. This vulnerability reported to GE on May 17 02014 : 148 days ago nearly 5 months ago! They do not have a x yet, I'll let you be the judges.
  • 25. GE ML800 Key We have captured network trac from the wire interacting with the GE ML800 web admin interface. Within this session we have performed a switch rmware upgrade. This session is in HTTPS, but the rmware upgrade happens over FTP, so we are able to see the rmware le in clear text. We use tcptrace to carve out the les (All hail Ostermann!): tcptrace -n -e rmware-upgrade.pcapng
  • 26. GE ML800 Key We note that right away, one stream stands out: tcptrace stream 33: 192.168.0.97:20 - 192.168.0.12:1025 (bm2bn) 1356 971 (complete) Primarily because it is a larger stream, but also those ports are interesting, and nally we can see it is a complete stream.
  • 27. GE ML800 Key The le command doesn't help us much: le results I le bm2bn_contents.dat I bm2bn_contents.dat: data
  • 28. GE ML800 Key We run strings on this structure, and we nd a lot of random rubbish, but a few pages down we get some clues. Strings output I deate 1.1.3 Copyright 1995-1998 Jean-loup Gailly I inate 1.1.3 Copyright 1995-1998 Mark Adler So it's compressed!
  • 29. GE ML800 Key Attempting to deate the whole thing fails abyssmally. So we resort to searching for zlib streams in the le with a little help from python. Basically, we iterate over every byte to see if we can nd sections of the le that do not produce zlib errors. When we nd some sections of the le that are legitimate zlib streams. Output of ZLIB-Finder.py I Please enter the lename you wish to analyse: bm2bn_contents.dat I (41576, 4098384) I (1931471, 0)
  • 30. GE ML800 Key Well, let's carve out that compressed section shall we? Output of dd I dd if=bm2bn_contents.dat of=compressed.bin skip=41576 bs=1 count=4098384 I 1889896+0 records in I 1889896+0 records out I 1889896 bytes (1.9 MB) copied, 2.62979 s, 719 kB/s
  • 31. GE ML800 Key Now we need to concatenate the magic string to make gzip think it's a valid le and decompress it: magic byte foo printf x1fx8bx08x00x00x00x00x00 | cat - compressed.bin | gzip -dc decomp.bin Which does give us some errors which suggest we might have the length of our dd command wrong. However, we still get some sensible material out of the decompression. To see that, load it up in IDA, or just use strings or xxd.
  • 32. GE ML800 Key For example, I love just running this on all kinds of embedded rmwares: Command xxd decomp.bin | grep -A 20 '42 4547 494e 2052 5341 2050 5249 5641' | less Which gives you nice little details such as: RESULT! 0036750: 2d42 4547 494e 2052 5341 2050 5249 5641 -BEGIN RSA PRIVA Copy and paste this key into a le.
  • 33. GE ML800 Key Now if we load it into wireshark using port 443 IP 192.168.0.12 and protocol http, we can even use it to see the session which preceded the rmware upload. This means we can conrm the key decrypts SSL trac and we can even see the user name and password for the device in packet 639.
  • 34. But wait! There's more! The OEM for this switch is Garretcom (now owned by Belden). So does this default key aect them? Let's wait and see...
  • 35. I waited nearly 5 months for GE/Garretcom to conrm a patch for this default key. Personaly, I think it would have been more responsible for them to anounce the key compromise immediately and work towards the patch after informing their customers. My recommendations at this time are to update the SSL key over a serial or other point to point connection where you can visually conrm no MITM. After that, change the passwords on the device, since they are not hashed, and thus can be returned to cleartext from the SSL/TLS ciphertext.
  • 36. Where can we go with these attacks, and what about the underpants gnome? Towards control of the process I Start examining if binary patching of the rmware can be achieved? I Is there rmware codesigning? I Can it be bypassed? I Altering the switch conguration to exltrate process data. I DoS attacks, to disrupt the process. I Basically any MITM attack at this point can disrupt, alter, or drop process trac.1 1With the exception of real time system constraints
  • 37. Conclusion Today we learned I Session ID Analysis I Brute forcing MD5+NONCE I Binary Analysis I Decompressions I Key Extraction I SSL decryption I How to drop ohdae
  • 38. Outro Thanks to some peeps for random things... I Reid Nice guy Wightman I Yvan I know. Jannsens I Jason Water Hammer Larsen eireann.leverett@ioactive.com GPG: 9E1D 1459 CB1C DC9F 5638 786C 6EAB 21C0 38D1 57B8 Matt@zonbi.org GPG: 3153 47EE C078 C484 C2BC 814D E5B3 52A8 4493 4B37 colin.cassidy@ioactive.com GPG: 5B1C A26A 8B8E DF82 C338 B1B1 8BD3 0446 451C 872B